Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Fed Reserve Bank hack – don’t banks need PCI?

by Avivah Litan  |  November 21, 2010  |  3 Comments

Last week a Malaysian man was charged for hacking into the Federal Reserve Bank of Cleveland’s computer systems and for stealing more than 400,000 credit and debit card numbers.  Later on IDG News reported that the Fed said he only broke into a test Fed system and that the Fed doesn’t process card numbers so the card data couldn’t have been stolen there, nor was there any sensitive information stolen during the hack.

Whatever the case, it does remind me and probably many of you – that banks are not subject to PCI enforcement. Try to find a PCI related deadline for card issuing banks on the Visa or MasterCard websites and you will come up noticeably short.

I remember moderating a panel at a Federal Reserve Bank conference about two and a half years ago, with the card brands and major U.S. merchants present.  A treasurer at a top global merchant was noticeably irked when he asked the Visa rep on my panel when he could get a list of PCI compliant bank card issuers. The Visa panelist deflected the question.

It’s one of those parts of PCI enforcement that demonstrates the lack of a level playing field across banks, merchants, and merchant service providers. And its too esoteric an issue for Congress and the federal regulators to take on right now. They do seem to be making headway in breaking the secret circle and decision making process that dictates interchange fees, which should give merchants more power when it comes to payments.  It would be nice if the security part of the card payment food chain equation were fair as well, but don’t hold your breath.

3 Comments »

Category: Uncategorized     Tags:

3 responses so far ↓

  • 1 Tweets that mention Fed Reserve Bank hack – don’t banks need PCI? -- Topsy.com   November 21, 2010 at 3:56 pm

    [...] This post was mentioned on Twitter by Jovi Umawing, Sergio Hernando and Uptime Devices, Avivah. Avivah said: Fed Reserve Bank hack – don’t banks need PCI? http://bit.ly/c7WGVB [...]

  • 2 sorani   November 21, 2010 at 4:37 pm

    Banks have to comply with PCI DSS as everyone who stores, proccesses or transmits cardholder data… nonetheless, I agree with you that they do not have to show compliance (as the rest of the World)… and now, happens this kind of things…

  • 3 Walt Conway   November 22, 2010 at 2:05 pm

    Bank card issuers are indeed subject to PCI DSS. The difference is that the card brands (Visa, MasterCard) set rules for validation. They also have an ‘exemption’ of sorts in that banks are allowed to retain the security codes (CVV2, CVC2) since they need them to produce cards.

    I wrote about this issue (http://www.storefrontbacktalk.com/securityfraud/i-wonder-if-my-card-issuer-has-a-roc/) which certainly is worth additional attention. There also is a PCI Council FAQ (#5391) on the subject.